Hi, folks. We've recently updated the CERT® Basic Fuzzing Framework (BFF). The new BFF 1.1 contains new functionality and improves performance.
The BFF is a framework to perform file mutation fuzzing for Linux applications. Since the initial release of the BFF, we have made some improvements:
The virtual machine
We upgraded the OS to the testing version of Debian ("Squeeze"). In the process of installing applications to fuzz, I noticed that some of them required libraries newer than what are available in the stable version of Debian. The VM used by the BFF is more modern.
The virtual machine now includes a generic VESA video driver in addition to the VMware driver. This can simplify the use of the BFF with other virtualization products, like VirtualBox.
In some cases, the gdb process would hang during a fuzzing run, which can result in resource exhaustion. The gdb process is now properly killed when its timeout expires.
BFF 1.0 discarded crashes caused by the SIGABRT signal. The reason for this was to ignore, by default, crashes that were the result of a failed assertion. However, this feature was also discarding heap corruption crashes that were caught by glibc. BFF 1.1 now investigates SIGABRT crashes to determine if they are the result of a failed assertion. Only failed assertion crashes are discarded by default.
The zzuf.pl script has been refactored for improved performance, sanity, and modularity. (Thanks Allen!)
The BFF now performs automatic crashing testcase minimization via fuzzdiff. (Thanks Dan!)
In academia, government, and industry, DevOps has become a standard, straightforward option for streamlining efforts and increasing comprehensive participation by all stakeholders in the software development lifecycle (SDLC). In highly regulated environments (HREs) within these three sectors, however, applying DevOps can prove challenging. HREs are mandated by policies for various reasons, the most often being general security and protection of intellectual property thus making the sharing and open access principles of DevOps that much harder to apply. In this blog post series DevOps and HREs, which is based on a published paper, we will discuss the process, challenges, approaches, and lessons learned in implementing DevOps in the software development lifecycle in HREs. In this first post, we will explore challenges (and goals) to implementing DevOps in HREs. The majority of what you will read in the series stems from our experiences in performing these tasks. In addition to presenting challenges, this post gives an overview of what an HRE is, what you should expect to find in these environments, and what DevOps implementation obstacles may be present.